Provide request deserialization, response serialization #1683
Comments
|
Thank you for submitting this ticket, I had intended to file something similar ages ago but never managed to make time for it. In my mind I totally think I encourage us to think about how devs work with native JS capabilities and build the spec for them, not build the spec for us and hope JS devs will follow. To get some of my own thoughts out about this:
Whatever direction an effort like this takes, I think the end goal should be to make WebAuthn easier for developers to consume, especially in the browser side of things. If we can accomplish that then adoption will follow. Right now WebAuthn is a PITA to implement in large part because |
That would be my preference.
We have a lot of values which would be named base64url property values at that point, e.g.
My reasoning for CBOR over JSON: Because JSON cannot differentiate text from base64url-encoded binary, the selection of JSON would require a semantic knowledge of the message (including future additions) in order to process. This increases the maintenance of such serialization and deserialization. The selection of JSON may also push for duplication of non-encoded forms, for example including what today is getPublicKey() as a duplicated JWK within the serialized JSON response. This particular example duplication of security information and increases the risk of an implementation accidentally relying on data which is not integrity protected. I don't feel additional forms of data are necessary. For browser Javascript, we do not need a JSON form to introspect because we have the actual WebAuthn API. For things which a browser needs to understand, we should still focus on raising that information through the API, rather than through serialized forms. For the relying party infrastructure processing the data however, we necessitate binary processing already by the nature of the protocols being written in terms of U2F-legacy binary and CBOR binary messages. Semantic transformation to other forms breaks integrity. Base64 encoding binary data does not make the relying party job easier.
Agreed. While a serialized form does not create any mandate, one could see how what is client javascript libraries today might get pared down to either send the serialized form in request/responses directly, or composed within additional API messages which provide something like an authentication workflow. |
I'll take this on. I'll try and get a draft PR up before too long, I know it'll need a lot of TLC but I think it'd be a worthwhile addition to the spec. |
|
A rough first pass at a CDDL (as a potential underpinning of this addition): https://gist.github.com/dwaite/6afb1856e092e02ae6ada85f3ff1655d CDDL normally has a single output data item, so there may be multiple descriptions needed if we define specific request/responses for create and get. I'm hardly a CDDL expert, though. |
The WebIDL spec already allows for interfaces to provide a WebIDL doesn't have similar "fromJSON" provisions AFAIK. But if we wanted to allow instantiation of |
|
While In particular, the ask has been for this value to be Base64 (or I presume Base64URL) encoded, but such an encoding would need to be defined upstream by one of these two specifications for us to leverage a We would probably want guidance from WebIDL that our declaration of a This would decrease the duplication of description languages, although WebIDL would expect us to define the dictionary formats of the current interface types. Either way (WebIDL or CDDL), we have to resolve issue that |
I don't think there's a requirement that if you define a
My suggestion is to hang them off of |
|
The two leading formats would be:
I would make two points in favor of CBOR:
For the second point, additional This would likely not be an issue where the fromJSON for options is being interpreted by the platform, as @agl mentioned on call. I cannot speak to how this knowledge might complicate environments where the browser and platform have an API between them. |
IIRC, we specifically added getAuthenticatorData() because sites were asking us for ways to use basic WebAuthn (i.e. w/o attestation, extensions, etc) without needing to introduce a CBOR dependency. On the flip side, I suspect the vast majority of sites already understand how to pass JSON between a client and a server. So I think JSON is a more natural fit for the web, even if some RPs also have a CBOR dependency already.
I think the way this would work is that when browsers add a new WebAuthn feature that is accessed via a field in PublicKeyCredentialCreation/RequestOptions, they would also add deserialization support to the fromJSON method() (whether it's ArrayBuffer-valued or not). Any unsupported fields would simply be ignored.
At least in Chrome, we would implement this feature in the browser. There's no need to rely on platform APIs. |
|
This may be of interest: WICG/proposals#42 |
|
@nicksteele and I put together a document thinking about this from the WACG side of things and what a dev-friendly API would look like for serializing and deserializing WebAuthn options and responses with zero external dependencies: Below are our current ideas for additions to
RegistrationOptions const createOpts = PublicKeyCredential.optionsFromJSON({
method: 'create',
options: {
'challenge': 'N1B3...0Fmw',
'rp': {
'name': 'Example RP',
'id': 'localhost',
},
'user': {
'id': 'internalUserId',
'name': 'user@localhost',
'displayName': 'user@localhost',
},
'excludeCredentials': [
{
'id': 'ASdG...om6A',
'type': 'public-key',
'transports': ['internal']
},
],
// ...
},
});
const resp = await navigator.credentials.create(createOpts);Response const resp = await navigator.credentials.create(createOpts);
const respJSON = PublicKeyCredential.responseToJSON({
method: 'create',
response: resp,
});
// {
// "id": "XU9x...47qQ",
// "rawId": "XU9x...47qQ",
// "response": {
// "attestationObject": "o2Nm...MjeQ",
// "clientDataJSON": "eyJ0...zZX0"
// },
// "type": "public-key",
// "clientExtensionResults": {},
// "transports": ["usb"]
// }AuthenticationOptions const getOpts = PublicKeyCredential.optionsFromJSON({
method: 'get',
options: {
'rpId': 'localhost',
'challenge': 'Ecue...5ZDE',
'allowCredentials': [
{
'id': 'ASdG...om6A',
'type': 'public-key',
'transports': ['internal'],
}
],
},
});
const resp = await navigator.credentials.get(getOpts);Response const resp = await navigator.credentials.get(getOpts);
const respJSON = PublicKeyCredential.responseToJSON({
method: 'get',
response: resp,
});
// {
// "id": "XU9x...47qQ",
// "rawId": "XU9x...47qQ",
// "response": {
// "authenticatorData": "SZYN...AACA",
// "clientDataJSON": "eyJ0...zZX0",
// "signature": "MEUC...TzT8"
// },
// "type": "public-key",
// "clientExtensionResults": {}
// } |
|
From an RP consumability perspective I think this is an excellent idea. Minor nits:
Another concern is how extensions which use ArrayBuffer for input need to be documented. For example the credBlob extension input is ArrayBuffer rather than JSON. This means that the optionsFromJSON method would need to be "extension aware", which is new behaviour. Not sure if there are any other extensions with this characteristic. I expect also the JSON/B64URL encodings will eventually need a schema-like specification. |
Extensions are what made me prefer a binary CBOR block vs attempting to structure information as JSON - the binary aspect of CBOR means that the browser has to be aware of the format of all extensions it is willing to support. That said - I believe browsers are all currently white-listing extensions, which means that they can ignore the formatting/validity of requested extensions they do not understand. |
|
This is desperately needed as currently to implement webauthn on the server side, you also need to create a matching client JS library. So long as it's consider how this will work in a WASM context for non-js languages, then this is supported by me. |
|
Thanks for the proposal! I recently toyed with this in Chromium, and I have a couple suggestions. For the response case, wouldn't it be simpler to define a toJSON() method that can be called on the respective PublicKeyCredential instance that the WebAuthn call returns, rather than have a static PublicKeyCredential method that effectively receives the instance plus 'method' as arguments? IMHO that'd be easier to use and it's what the Web IDL spec suggests here. (Obviously, that's not possible for the request objects, since they're just dictionaries, rather than interface types.) For either response examples, the top-level PublicKeyCredential-ish object should include an For the create response example, why does Also for the create response example, I believe the
I think it's a fair assumption that browsers will not pass authenticator extensions in either direction that they don't understand. It's true for Chromium, and likely the case for the remaining WebAuthn implementers as well. |
|
Please review my code snippets above from a high level. I regret now not being exhaustive when I wrote all that out because the conversation thus far has been on how imperfect the examples are. My goal was for us to discuss potential API design and then start getting into the weeds on what values should be represented where... That said there seems to be enough interest now in an effort to add a dependency-free serialization API to WebAuthn L3. I think those of us in the WACG can take this back now and draft a more comprehensive proposal that will include all of the bits my "sanity check examples" left out. |
@kreichgauer You make a great point here, a const resp = await navigator.credentials.create(createOpts);
const respJSON = resp.toJSON();
apiClient.postJSON(url, respJSON);I think this'd be great for serializing responses. It'd still need to be paired with something like the
You're right, as of L3 this'll be the case thanks to #1668.
These are the kinds of good questions I figured we'd get to in a PR after I gauged sufficient (current) interest in the idea of serialization helpers to attempt to make a change to the spec. I'm sure there are a few opinions about where values like |
For what it's worth, npx @github/webauthn-json schemaAs of {
"credentialCreationOptions": {
"publicKey": {
"required": true,
"schema": {
"rp": {
"required": true,
"schema": "copy"
},
"user": {
"required": true,
"schema": {
"id": {
"required": true,
"schema": "convert"
},
"name": {
"required": true,
"schema": "copy"
},
"displayName": {
"required": true,
"schema": "copy"
}
}
},
"challenge": {
"required": true,
"schema": "convert"
},
"pubKeyCredParams": {
"required": true,
"schema": "copy"
},
"timeout": {
"required": false,
"schema": "copy"
},
"excludeCredentials": {
"required": false,
"schema": [
{
"type": {
"required": true,
"schema": "copy"
},
"id": {
"required": true,
"schema": "convert"
},
"transports": {
"required": false,
"schema": "copy"
}
}
]
},
"authenticatorSelection": {
"required": false,
"schema": "copy"
},
"attestation": {
"required": false,
"schema": "copy"
},
"extensions": {
"required": false,
"schema": {
"appid": {
"required": false,
"schema": "copy"
},
"appidExclude": {
"required": false,
"schema": "copy"
},
"credProps": {
"required": false,
"schema": "copy"
}
}
}
}
},
"signal": {
"required": false,
"schema": "copy"
}
},
"publicKeyCredentialWithAttestation": {
"type": {
"required": true,
"schema": "copy"
},
"id": {
"required": true,
"schema": "copy"
},
"rawId": {
"required": true,
"schema": "convert"
},
"response": {
"required": true,
"schema": {
"clientDataJSON": {
"required": true,
"schema": "convert"
},
"attestationObject": {
"required": true,
"schema": "convert"
},
"transports": {
"required": true,
"schema": "copy"
}
}
},
"clientExtensionResults": {
"required": true,
"schema": {
"appid": {
"required": false,
"schema": "copy"
},
"appidExclude": {
"required": false,
"schema": "copy"
},
"credProps": {
"required": false,
"schema": "copy"
}
}
}
},
"credentialRequestOptions": {
"mediation": {
"required": false,
"schema": "copy"
},
"publicKey": {
"required": true,
"schema": {
"challenge": {
"required": true,
"schema": "convert"
},
"timeout": {
"required": false,
"schema": "copy"
},
"rpId": {
"required": false,
"schema": "copy"
},
"allowCredentials": {
"required": false,
"schema": [
{
"type": {
"required": true,
"schema": "copy"
},
"id": {
"required": true,
"schema": "convert"
},
"transports": {
"required": false,
"schema": "copy"
}
}
]
},
"userVerification": {
"required": false,
"schema": "copy"
},
"extensions": {
"required": false,
"schema": {
"appid": {
"required": false,
"schema": "copy"
},
"appidExclude": {
"required": false,
"schema": "copy"
},
"credProps": {
"required": false,
"schema": "copy"
}
}
}
}
},
"signal": {
"required": false,
"schema": "copy"
}
},
"publicKeyCredentialWithAssertion": {
"type": {
"required": true,
"schema": "copy"
},
"id": {
"required": true,
"schema": "copy"
},
"rawId": {
"required": true,
"schema": "convert"
},
"response": {
"required": true,
"schema": {
"clientDataJSON": {
"required": true,
"schema": "convert"
},
"authenticatorData": {
"required": true,
"schema": "convert"
},
"signature": {
"required": true,
"schema": "convert"
},
"userHandle": {
"required": true,
"schema": "convert"
}
}
},
"clientExtensionResults": {
"required": true,
"schema": {
"appid": {
"required": false,
"schema": "copy"
},
"appidExclude": {
"required": false,
"schema": "copy"
},
"credProps": {
"required": false,
"schema": "copy"
}
}
}
},
"version": "0.6.3"
}
|
Architecturally, 90+% of browser-hosted WASM has no need to interact with WebAuthn, as it is the server component of the architecture which is challenging and processing the registrations and assertions. Outside of ZKP experiments such as Cloudflare's and demo applications, WASM code would mostly act analogous to client-side form validation, processing and rejecting created credentials which did not meet the codified server policy. That said, in many cases you might not even gain significant performance benefits from WASM due to serialization and the lack of WebCrypto in WASM. That said, a JSON serialization does provide a solid default for a serialization of the data into and out of the WASM context for use cases which may benefit. |
And 99% of all Javascript also has nothing to do with WebAuthn, and yet, here we are talking about how to make it accessible to use Webauthn from JS.
I'm sorry, are you confused? The issue in this matter is that the types as defined by Webauthn are not possible to deserialise from JSON directly into JS/WASM in a manner that the platform API's can consume, currently forcing all RP implementors to fiddle with the content of the structures. So it doesn't matter if it's JS or WASM there is currently no way to take "JSON" and feed that to the navigator.credentials apis without messing with it.
As the author of Webauthn-RS, who implemented the demo site and examples for all client side browser elements in WASM and NOT Javascript, I'd like to disagree. There is also a huge and growing interest in WASM for client side elements in replacement of JS. As such, WASM is an important use case to consider. |
Can you elaborate on this example of client side usage via WASM which is outside local demonstration purposes? Also, do you have specifics in mind for ways to make the deserialization/serialization more accessible to WASM outside providing the helpers for a consistent format being already described here, e.g. serialization and deserialization formats for requests and responses? |
What is there that needs elaborating? Instead of using JS, you use WASM. As a result, and changes to make it easier to get from JSON -> navigator.credentials.get/create need to work in a WASM context.
Yes, I have previously described these here #1619 |
What would WASM do with the data in this context, e.g. specifically within a browser under the local user's control, other than create a demo app which provides no access into remote systems? The goal is to provide API useful for production systems, not necessarily demonstrations or experimentation. That said, I'm trying to make sure there are not concrete features which would be missed toward that goal. An example I proposed here was having logic analogous to local form validation. Examples there would be that the credential returned only contains known extensions, or that a created credential has a properly rooted attestation. The purpose of proposing serialization and deserialization here is specifically that the browser presentation has so little that it can do with WebAuthn. The challenges and assertions are made between the back-end infrastructure and the authenticator.
From that earlier issue, I surmise your goal is encompassed as the one stated here then; we wish to provide methods to go in between some serialization needed by the server and the requests/responses exposed by the API, in order to eliminate the hard requirement for clients and servers to individually define their own implementation-specific approach for that. You asked for considerations of how it would work in WASM for non-js languages - is there an example of a serialization of the data which would be sufficient for server usage but which would be insufficient for local WASM processing you had in mind? My suspicion is that there will be more discussion on whether the response serialization should be of integrity-protected binary data and client supplemental data only. The alternative would be having the duplication we currently expose in the API responses, such as returning an additional copy of the public key on credential creation in a more commonly understood format (conditionally, when no attestation was requested) |
As I'm reading this, you are expressing an opinion that WASM is a "demo" or a "toy" language, and not something you need to seriously consider in the surface area of webauthn and how it interacts with a browser.
I am extremely confused by what you are asking here, because I think you are confused about what I'm requesting.
Both of which would be "breaking" changes to what a browser provides, and are desperately needed both so that RP's no longer need JS/WASM to mangle incoming requests so that nav.cred can understand it, but also because a large number of parameters in Webauthn an unsigned which opens the door to a number of potential security issues which extensions poorly defend from. |
I'm sorry if my message was interpreted that way. I'm trying to verify any requirements you may have. If it helps, WASM instructions or Javascript code consuming authentication assertions within the browser has limited utility. You are making an authentication assertion into a locally held and easily user introspectable box. Whether you are protecting e.g. an IndexedDB database by a locally prompted password or WebAuthn, the data is still a local database, exposed one pane over via developer tools. Remote infrastructure, whether running on top of WASM or a virtual or native machine architecture would be normally where you would produce challenges and verify the assertion. The choice of execution architecture here should not have an impact over say, the choice of programming language. There have been proposals to add e.g. a way to unlock a symmetric key with WebAuthn, which changes this equation significantly - but I'd argue serializing this symmetric key (or making it exportable in general) is probably a bad idea.
To ask tersely - you asked for considerations. I asked for what those considerations would be.
There are five buckets of information, somewhat blended together
These pieces represent multiple actors and multiple sets of security considerations/attacker models. That is why I hope the helper information (like getPublicKey and getAuthenticatorData) are not serialized as part of responses, as correct validation becomes that much harder if someone does part of their processing on e.g. the non-integrity-verified copy authenticator data. I'd much rather tooling like Webauthn-RS generate their own Helper API as appropriate from the serialized responses. |
I think you are over thinking this. Just imagine that instead of JS, replace it with WASM. The architecture is still: Just replace the dynamic JS parts with WASM, and you get what what I'm asking.
Okay, to be explicit. Today, when you perform a browser fetch request to a webauthn endpoint of a server, you receive a JSON response. Deserialising that JSON into the WASM or JS context, it is not possible to create a Uint8Array. As a result, the structure has an array of bytes, but in a different format. This means that any RP today MUST create dynamic components that MUST execute in the browser, that MUST alter the content of any structure which is intended to be passed into navigator.credentials apis. This is commonly achieved by base64url encoding and decoding the fields. So there a number of potential ways to tackle this:
So let's consider this from the JS/WASM context.
I think this section of the comment doesn't apply to the JS/WASM discussion, but I have discussed before about this issue within this group as this has led to CVE's in the past. If this change was to be accepted in a manner where browsers would need to alter their platform apis for navigator.credential, then it would be viable to actually potentially correct this long standing defect in the webauthn specification such that the entire chain of communication is verified rather than small elements. |
|
WASM is really neither here nor there, I suggest we constrain future discussion to JS because the question of how you invoke JS global APIs from WASM will never be the purview of this working group. |
|
If you make a Actually, it is a mystery to me why the API currently returns "things" that cannot even be sent to the server directly, but require "post-processing" to do so. And if you provide such a So basically, what was initially suggested in the post there #1362 😁 |
From #1362: " On the call of 2020-01-22 it was decided that the use of ArrayBuffers is reflecting W3C direction as we understand it and that revisiting that would be too much. [...]"
Getting rid of CBOR is not feasible. The security messages themselves are signed binary in a mix of U2F-inherited format and CBOR extensions/attestations. Any translated version of the contents would no longer be integrity protected, and integrity protection is paramount to the server understanding authentication is being performed correctly. Any non-binary, non-CBOR form would be generated by the server after validating the binary responses had proper integrity and were correct answers to the challenges created by the server. The getPublicKey() method, added in level 2, is meant to provide the public key on creation with the specified limitations. This includes not requesting attestation on registration, as you will need the non-modified binary message in order to verify said attestation. |
|
Sorry for being dumb, but I still don't get it. On the client side, you have to transform it in proper JSON to even send it to the server. So, from the perspective of a web developer, I don't understand why being directly decoded would be a problem.
I haven't gone through the validation/verification part. Please take into consideration that an average developer has no idea about U2F and CBOR. What "we" are familiar with is to have a public key in order to verify a signature of some data. Almost always, these are just base64url encoded values sent around. So, in this spec, it feels highly unusual and strange that this unknown CBOR protocol plays such a crucial role ....actually, even after digging into the specs, I still don't know why the original CBOR encoded form would matter ...however with the spec being 165 pages long, it's of course extremely challenging to assimilate, so I probably missed the important part. If you want to make something really great, then make a |
Right, but the original statement:
Implies that a full fledged transforms would be applied by this API, rather than simple base64 encoding and embedding the normal configurations and results into a JSON structure. Specifically, that such transforms would eliminate the server's burden for understanding the CBOR format of attestations and extensions. There is not much capability for doing this between the client and server. The server can certainly create its own simplified forms for business logic and policy evaluation after verifying the credential result, but the server needs to be able to evaluate based on unmodified data in order to do signature integrity checks. Add onto this that translation between CBOR and JSON is limited, as CBOR is a superset of JSON. Translating CBOR to JSON means that only responses that the client fully understands would be available. |
Release notes: - Add a `browser-ponyfill` build to match the new API shape from w3c/webauthn#1683
Release notes: - Add a `browser-ponyfill` build to match the new API shape from w3c/webauthn#1683
Release notes: - Add a `browser-ponyfill` build to match the new API shape from w3c/webauthn#1683
|
I've implemented @MasterKale's API from #1703 in https://github.com/github/webauthn-json as // @github/webauthn-json/browser-ponyfill
function supported(): boolean;
function parseCreationOptionsFromJSON(json: JSON): CredentialCreationOptions;
function parseRequestOptionsFromJSON(json: JSON): CredentialRequestOptions;
// You can call `.toJSON()` on the result or pass directly to `JSON.stringify()`.
function create(
options: CredentialCreationOptions,
): Promise<PublicKeyCredential>;
// You can call `.toJSON()` on the result or pass directly to `JSON.stringify()`.
function get(options: CredentialRequestOptions): Promise<PublicKeyCredential>;This ended up fairly simple thanks to @MasterKale's efforts, but I'd love to see if this also works for people in the wild, in case that can help shake out any issues before browsers implement the API. The ability to pass the object directly to |
Release notes: - Add a `browser-ponyfill` build to match the new API shape from w3c/webauthn#1683 We've been using the ponyfill on github.com for over two weeks without issue at this point!
|
bump; is there a reason for this to be open after the merge of PR #1703 ? |
|
No, we should be able to close this now. |
The addition of
ArrayBufferin the WebAuthn APIs has been an often-cited challenge for relying party developers, as JavaScript does not have integration for converting such buffers to text for serialization via JSON. JSON itself is not necessarily the best format because of the binary content, including for items like extensions.I'd like to propose deserialization request forms of PublicKeyCredential as long as serialization of the response forms of PublicKeyCredential.
To do this, I would propose a serialization based on a schema (such as CBOR and CDDL) covering the options valid for a PublicKeyCredential. CBOR data is preferred because of the need to preserve the binary signed messages, and due to several internal values being declared as binary identifiers or as CBOR.
Additionally, convenience methods to work in terms of a base64-encoded form of the CBOR data would be desirable for use in text-based API.
As deserialization would result in a PublicKeyCredential object, Javascript would still have full fidelity to inspect and possibly manipulate before making a create() or get() request. Likewise, Javascript would have the ability to inspect the response object before serializing it to share with a remote service.
Deserialization for responses and serialization of requests would both be more difficult due to the possibility of arbitrary manipulation by the user and responses having methods in addition to data.
The text was updated successfully, but these errors were encountered: